What is the biggest attack in GBPS you stopped
-
I can tell you this much….
Windows firewall doesnt get affected by any of these attacks. If you put the server out front and only have WF running and forwarding traffic to the server then it can handle it easily.
It seems to only affect UNIX/Linux/BSD distros.
Say what? After all these years of Windows bashing by the nix and open source fans Windows firewall puts it to shame. LOL
-
Dunno really what's this debate about? You don't stop DDoS via packet filters. You null route it. It's damn useless to packet filter DDoS crap – even if the firewall does not crash, the packet flood still totally fills your pipeline and renders it useless.
-
Depending on your pipe.
I have 2x10G in the datacenter on WAN and it doesnt get filled at all. So no blocking of pipe in the relation.
Its the handling of packets and yes you can packetfilter DDoS and not nullroute it.
Thats exactly what they want to achieve and we need a FW solution that can handle it at wirespeed.
No matter the cores and memory, pfSense still dies instantly.
So tell me where the culprit is, because traffic hardly get to the servers at all. If I stick a windows firewall on WAN directly on the server, then everything is fine even under several gigabit/s traffic patterns.
-
Depending on your pipe.
I have 2x10G in the datacenter on WAN and it doesnt get filled at all. So no blocking of pipe in the relation.
Its the handling of packets and yes you can packetfilter DDoS and not nullroute it.
Thats exactly what they want to achieve and we need a FW solution that can handle it at wirespeed.
exactly, right now 6GBPS do not fill the pipe of the main access that peak at 40gbps , but yes it fill the pipe of the server that is 1G. The purpose is to prevent nullrouting for all attack inferior to half the pipe by putting a firewall between the main router and the rack ( 20gbps is half the datacenter pipe).
-
And you cant do that with pfSense.
It cant handle the DDoS traffic at all, especially SYN ACK and OVH scripts kills it instantly.
-
That is an unorthodox way of arguing, Supermule; proving an item's inadequacies by proving your inability to skillfully operate said <thing>(pfSense, Linux, Ford F150, shovels, pants, etc). To continually defend your stance, it is in your self-interest to not only stay ignorant, but perhaps even choose to learn exclusively the wrong ways of using <thing>. The worse your skills become with <thing>only validates your stand-point more and more. A strange way to prove a point… ;)
ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?</thing></thing></thing>
-
ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?
From what i have been told the 40gbps from multiple peerings arrives at 2 redundant cisco where i can connect in 10gbps ports ( 2 ports in bonding here) so i can filter there , normaly the main routers go in 20gbps to the rooms routers.
So i would playing the role the room routers for my ip's with my filtering box and from there go to my rack probably in bridging mode. Of course the fact that i have basic knowledge of networking but not advanced ones limit my possibilities. -
@ghislain26:
ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?
From what i have been told the 40gbps from multiple peerings arrives at 2 redundant cisco where i can connect in 10gbps ports ( 2 ports in bonding here) so i can filter there , normaly the main routers go in 20gbps to the rooms routers.
So i would playing the role the room routers for my ip's with my filtering box and from there go to my rack probably in bridging mode. Of course the fact that i have basic knowledge of networking but not advanced ones limit my possibilities.Do you have plenty of logs during the DDoS so that you can figure out what the first hints will be that the attack is beginning? Did they use just 1 type of attack, or did they use multiple? Did you get multiple types of DDoS simultaneously, or did the attacks come in coordinated waves? Did a magority of the IPs from a common area that you can set an alias for?
-
The attack we faced was from 2gbps to 6.5 gbps of smal udp packets flood on random ports (the destination ports changed every 10 minutes or so from what i gathered) . The ip were numerous and from india and china, probably some botnet or simply spoofed but i beleive it was a botnet.
I do not have trace or evidence as i had no filtering device and when the attacks where "on" i was unable to reach the server until they nullrouted my ip at the data center so.. I poke around to see if i can build up some protection even if i know a flood bigger than 15gbps will probably make me nullrouted anyway i want to provide minimum resistance to the lesser flood one and not be killed by one person with 2 servers flooding a 1gbps port.
-
@ghislain26:
The attack we faced was from 2gbps to 6.5 gbps of smal udp packets flood on random ports (the destination ports changed every 10 minutes or so from what i gathered) . The ip were numerous and from india and china, probably some botnet or simply spoofed but i beleive it was a botnet.
I do not have trace or evidence as i had no filtering device and when the attacks where "on" i was unable to reach the server until they nullrouted my ip at the data center so.. I poke around to see if i can build up some protection even if i know a flood bigger than 15gbps will probably make me nullrouted anyway i want to provide minimum resistance to the lesser flood one and not be killed by one person with 2 servers flooding a 1gbps port.
And there is nothing the datacenter where your rack is in can do for you? How do they nullroute
the traffic for you? Why they can´t offering you something to protect you from that DDoS attacks?
Would be interesting to know if the are not offering such a service as an option on top of their service!edit: I found something that would be placed between the both routers at the WAN interfaces and the
firewalls later after them in the background, pending on what throughput we are talking about the right
appliance must be chosen. here is a pdf from them about their hardware. -
If you are so smart and "godlike" then pls. post a working config and an IP that I can target.
Then I will prove my point…
When logging, it can be both TCP and UDP. UDP floods tends to be bandwith consuming and TCP are specific protocols and maybe L7 traffic like VSE, RUDY or ARME Scripts...
OVH takes down pfSense at once no matter the bandwith. We have seen as low as 40mbit to make it completely useless and servers are unreachable.
That is an unorthodox way of arguing, Supermule; proving an item's inadequacies by proving your inability to skillfully operate said <thing>(pfSense, Linux, Ford F150, shovels, pants, etc). To continually defend your stance, it is in your self-interest to not only stay ignorant, but perhaps even choose to learn exclusively the wrong ways of using <thing>. The worse your skills become with <thing>only validates your stand-point more and more. A strange way to prove a point… ;)
ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?</thing></thing></thing>
-
That is an unorthodox way of arguing, Supermule; proving an item's inadequacies by proving your inability to skillfully operate said <thing>(pfSense, Linux, Ford F150, shovels, pants, etc). To continually defend your stance, it is in your self-interest to not only stay ignorant, but perhaps even choose to learn exclusively the wrong ways of using <thing>. The worse your skills become with <thing>only validates your stand-point more and more. A strange way to prove a point… ;)
ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?</thing></thing></thing>
If you are so smart and "godlike" then pls. post a working config and an IP that I can target.
Then I will prove my point…
When logging, it can be both TCP and UDP. UDP floods tends to be bandwith consuming and TCP are specific protocols and maybe L7 traffic like VSE, RUDY or ARME Scripts...
OVH takes down pfSense at once no matter the bandwith. We have seen as low as 40mbit to make it completely useless and servers are unreachable.
Either become part of the solution to your problem, or move on. Perhaps create a thread dedicated to your problem and all the logical steps you have taken to isolate the bug. What led you to suspect that your bug affects all unix-based operating systems?
What sort of things have you already eliminated as potential culprits? Have you already confirmed the cause of your bug?Being light on the details and heavy on the emotion says obvious things about your intent, though… I could be wrong. :)
-
BlueKobold: if i could make the DC make the move for me i would have trust me :p They do not offer ddos mitigation other than nullrouting.the problem is not here to check if another one can do it for me i am sure it would be better to take it where the pipes are the biggest but i cannot. I openned this thread to see if there was some usecase similar to mine willing to share experience on this :)
Supermule: if you agree to that i could send you an ip in private but before i will try to have written permission by the DC just to be sure and prevent any legal issue for anyone :p
Anything that help the thing to move forward is great :) Look forward any other experiences i learn at the same time and educate myself.
-
They do not offer ddos mitigation other than nullrouting.
Ah, ok this was not clear to me!
-
You are.
That is an unorthodox way of arguing, Supermule; proving an item's inadequacies by proving your inability to skillfully operate said <thing>(pfSense, Linux, Ford F150, shovels, pants, etc). To continually defend your stance, it is in your self-interest to not only stay ignorant, but perhaps even choose to learn exclusively the wrong ways of using <thing>. The worse your skills become with <thing>only validates your stand-point more and more. A strange way to prove a point… ;)
ghislain26, you say you can get your device installed earlier in the HOPs? Is this data-center multi-homed?</thing></thing></thing>
If you are so smart and "godlike" then pls. post a working config and an IP that I can target.
Then I will prove my point…
When logging, it can be both TCP and UDP. UDP floods tends to be bandwith consuming and TCP are specific protocols and maybe L7 traffic like VSE, RUDY or ARME Scripts...
OVH takes down pfSense at once no matter the bandwith. We have seen as low as 40mbit to make it completely useless and servers are unreachable.
Either become part of the solution to your problem, or move on. Perhaps create a thread dedicated to your problem and all the logical steps you have taken to isolate the bug. What led you to suspect that your bug affects all unix-based operating systems?
What sort of things have you already eliminated as potential culprits? Have you already confirmed the cause of your bug?Being light on the details and heavy on the emotion says obvious things about your intent, though… I could be wrong. :)
-
I can't believe this thread is on to the second page…
You cannot mitigate a DDoS attack with a single firewall/router. If it was that easy, don't you think Sony, Microsoft and anyone running a cloud service would do it and DDoS would be a thing of the past? If it was that easy, why are there services like CloudFlare that specialize in DDoS protection? Only global traffic inspection & load-balancing will do it for you... if you're willing to pay.
Give up on this notion of blocking DDoS with pfSense.
-
Listen….pfSense replies to specific traffic in a non orderly fashion. It chokes itself...
And yes you can. ASk yourself why people say it cant be done. Because they pay BIG bucks to get protected.....
But in fact they dont. They just get null routed and then wait for services to come back online.
-
Listen….pfSense replies to specific traffic in a non orderly fashion. It chokes itself...
And yes you can. ASk yourself why people say it cant be done. Because they pay BIG bucks to get protected.....
But in fact they dont. They just get null routed and then wait for services to come back online.
Can I see some proof, or must I trust you?
-
And yes you can. ASk yourself why people say it cant be done. Because they pay BIG bucks to get protected…..
But in fact they dont. They just get null routed and then wait for services to come back online.I'm not sure who you're talking to here.
Can I see some proof, or must I trust you?
Heh, give him a public IP of one of your routers and perhaps you may see for yourself…
-
Null routing won't protect you against spoofed source IPs. It's the firewall's job to drop out of state packets, not die. I understand that the fast path is if the state already exists, I understand that running through the rules is not quite as fast as the fast path, but that's not the issue either. The issue is dropped packets are some how the most expensive path of all, to the point that the router dies with only a relatively trickle of them.
Maybe this is more of a FreeBSD issue than PFSense, but it seems to be something misconfigured or a fundamental flaw.
Step 1) See if packet is part of an existing flow, if so pass, else goto step 2
Step 2) Check packet against rules, if passes, create new flow, else goto step 3
Step 3) Drop packet then jump off a cliffStep 3 needs to be fixed to not be so emo.